This disclosure relates to tunneling and security provisioning.
The prevalence and accessibility of computer networks requires security measures to protect valuable information. An enterprise, for example, can implement such security measures by use of a layered security system. Such a layered security system can be implemented at the network edge of the enterprise, e.g., firewalls, gateway security agents, etc. Additionally, a layered security system can also include security processes and agents that are implemented throughout the enterprises, e.g., virus scanning software on each computer device within the enterprise, content filtering software, content monitoring software, etc.
However, such layered security systems are prone to processing inefficiencies and can require many resources within the enterprise to maintain the systems. The use of an “in-the-cloud” distributed security system that provides security services external to a network edge of an enterprise can overcome many of these processing inefficiencies. One example of such a system is the Global Cloud Infrastructure provided by Zscaler, Inc., of Sunnyvale, Calif.
In such a distributed security system, an enterprise can transmit data to and receive data from the distributed security system by use of tunneling technologies. A tunneling protocol enables one network protocol (the delivery protocol) to encapsulate packets that conform to a payload protocol to carry a payload over an incompatible delivery network, or to provide a secure path through an open network. Example tunneling technologies include generic routing encapsulation (GRE), layer two tunneling protocol (L2TP), point-to-point tunneling protocol (PPTP), Secure Socket Tunneling Protocol (SSTP) or IPSec protocols may be used. Virtual private network (VPN) routers and VPN concentrators can be used to achieve the traffic redirection for tunneling.
The use of tunneling, however, presents the enterprise and the security provider with specific challenges and problems. In particular, tunnels, such as GRE tunnels, are used by cloud based services to direct network traffic through a cloud resident proxy node. Each of the proxy nodes stores a list of valid origins that are allowed to establish tunnels. The origin lists are used to prevent random tunnel establishments that may overwhelm the proxy node. A location corresponding to each origin is created, and each location associates security policies applicable to a GRE tunnel of the specific location.
The use of location association, however, can be complicated when used in conjunction with dynamic tunnels that are established using a dynamically assigned public IP address, such as dynamic GRE tunnels. Such tunnels may become periodically inactive when a new IP address is allocated from the pool of IP addresses held by the internet service provider (ISP). Maintaining the list of valid locations in a geographically segmented manner for numerous proxy nodes, and updating the locations in a dynamically adapting population of proxy nodes and tunnel origins, is a challenging task. If the lists of valid locations are not managed accurately, then access may be wrongly associated with locations that had no prior access, and incorrect policies may be applied to particular locations.